Include letsencrypt setup & add woodpecker nginx config

2024-12-10 21:20:52 +01:00 · 2024-12-10 21:20:52 +01:00 · c9a68c6a3f
commit c9a68c6a3f
parent b5db9c3daf
7 changed files with 88 additions and 1 deletions
--- a/handlers.yml
+++ b/handlers.yml
@ -33,3 +33,10 @@
    state: restarted
    enabled: true
    scope: user
 - name: restart certbot
  become: true
  systemd:
    name: certbot
    state: restarted
    enabled: false
--- a/tasks/nginx.yml
+++ b/tasks/nginx.yml
@ -9,6 +9,7 @@
  loop:
    - { src: 'templates/nginx/default.j2', dest: '/etc/nginx/sites-available/default' }
    - { src: 'templates/nginx/forgejo.j2', dest: '/etc/nginx/sites-available/forgejo' }
    - { src: 'templates/nginx/woodpecker.j2', dest: '/etc/nginx/sites-available/woodpecker' }
    - { src: 'templates/nginx/sentry.j2', dest: '/etc/nginx/sites-available/sentry' }
    - { src: 'templates/nginx/vpn.j2', dest: '/etc/nginx/sites-available/vpn' }
    - {
@ -32,6 +33,10 @@
        src: '/etc/nginx/sites-available/forgejo',
        dest: '/etc/nginx/sites-enabled/forgejo',
      }
    - {
        src: '/etc/nginx/sites-available/woodpecker',
        dest: '/etc/nginx/sites-enabled/woodpecker',
      }
    - {
        src: '/etc/nginx/sites-available/sentry',
        dest: '/etc/nginx/sites-enabled/sentry',
@ -43,4 +48,33 @@
      }
  notify: restart nginx
-# TODO: provision certbot configuration
+
 # Run the folowing command to regenerate a certificate:
 #
 # sudo certbot certonly \
 #    --authenticator standalone \
 #    --pre-hook 'systemctl stop nginx' \
 #    --post-hook 'systemctl start nginx' \
 #    --cert-name fudiggity.nl \
 #    -d fudiggity.nl \
 #    -d rss.fudiggity.nl \
 #    -d .....
 #
 # This will also save its configuration.
 #
 - name: copy letsencrypt configuration
  become: true
  template:
    src: 'templates/letsencrypt/cli.j2'
    dest: '/etc/letsencrypt/cli.ini'
    owner: root
    group: root
    mode: '0644'
  notify: restart certbot
 - name: enable certbot periodic certificate renewal
  become: true
  systemd:
    name: certbot.timer
    state: started
    enabled: true
--- a/templates/letsencrypt/cli.j2
+++ b/templates/letsencrypt/cli.j2
@ -0,0 +1,12 @@
 # {{ ansible_managed }}
 #
 # Because we are using logrotate for greater flexibility, disable the
 # internal certbot logrotation.
 max-log-backups = 0
 # Adjust interactive output regarding automated renewal
 preconfigured-renewal = True
 authenticator = standalone
 pre-hook = /bin/systemctl stop nginx
 post-hook = /bin/systemctl start nginx
--- a/templates/nginx/woodpecker.j2
+++ b/templates/nginx/woodpecker.j2
@ -0,0 +1,29 @@
 # {{ ansible_managed }}
 server {
 	listen {{ https_port }} ssl;
 	server_name {{ woodpecker_domain }};
 	include snippets/certificates.conf;
 	include snippets/ssl-params.conf;
 	access_log /var/log/nginx/woodpecker.log;
 	error_log /var/log/nginx/woodpecker.log;
 	location / {
 		gzip off;
 		proxy_read_timeout      90;
 		proxy_connect_timeout   90;
 		proxy_redirect          off;
 		proxy_set_header Host 			$host;
 		proxy_set_header X-Real-IP 		$remote_addr;
 		proxy_set_header X-Forwarded-For   	$proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Ssl     	on;
 		proxy_set_header X-Forwarded-Proto 	$scheme;
 		proxy_set_header X-Frame-Options 	SAMEORIGIN;
 		proxy_pass 				http://{{ woodpecker_ip }}:{{ woodpecker_port }};
 	}
 }
--- a/vars/main.yml
+++ b/vars/main.yml
@ -9,3 +9,4 @@ packages:
  - ca-certificates
  - gnupg
  - radeontop
  - certbot
--- a/vars/network.yml
+++ b/vars/network.yml
@ -16,6 +16,9 @@ forgejo_ip: '127.0.0.1'
 forgejo_port: '3000'
 forgejo_ssh_port: '22'
 woodpecker_ip: '127.0.0.1'
 woodpecker_port: '8000'
 newsreader_ip: '127.0.0.1'
 newsreader_port: '5000'
--- a/vars/nginx.yml
+++ b/vars/nginx.yml
@ -1,4 +1,5 @@
 domain_name: 'fudiggity.nl'
 forgejo_domain: 'forgejo.fudiggity.nl'
 woodpecker_domain: 'woodpekcer.fudiggity.nl'
 sentry_domain: 'sentry.fudiggity.nl'
 newsreader_domain: 'rss.fudiggity.nl'